Hacked Home: the Perils of Connected Devices

The Economist

July 11, 2014

Copyright 2014 The Economist Newspapers Ltd. All Rights Reserved

One night in April, a couple in Ohio was woken by the sound of a man shouting, "Wake up, baby!" When the husband went to investigate, he found the noise was coming from a web-connected camera they had set up to monitor their young daughter while she slept. As he entered her bedroom, the camera rotated to face him and a string of obscenities poured forth.

The webcam was made by a company called Foscam, and last year a family in Houston had a similar experience with one of their products. After that episode, Foscam urged users to upgrade the software on their devices and to make sure they had changed the factory-issued password. The couple in Ohio had not done so. The problem arose even though Foscam had taken all the right steps in response to the initial breach, which shows how hard it is to protect devices hooked up to the internet.

There will soon be a great many more of them. Cisco, a tech company, reckons that by the end of this decade there could be some 50 billion things with web connections. Among them will be lots of consumer gear, from cameras to cars, fridges and televisions.

This new network is already turning out to be very useful. Smart cars are able to read e-mails and text messages to drivers on the move; smart fridges carefully manage the energy they use; smart medical devices allow doctors to monitor patients from afar; and smart screens in the home display all kinds of useful information. Entire cities in South Korea are already rushing to link their infrastructure to the web to make it more efficient and improve services.

But security experts are sounding the alarm. "There is a big difference between the internet of things and other security issues," says Joshua Corman of I Am The Cavalry, a group of security specialists trying to promote greater awareness of emerging risks to public safety. "If my PC is hit by a cyber-attack, it is a nuisance; if my car is attacked, it could kill me."

This may smack of scaremongering, but researchers have already demonstrated that some vehicles are vulnerable to cyber-attacks. Modern cars are essentially a collection of computers on wheels, packed with many microcontrollers that govern their engines, brakes and so forth. Researchers such as Chris Valasek and Mathew Solnik have shown that it is possible to hack into these systems and take over a vehicle.

Their experiments, which include steering wheels suddenly being wrenched to one side and engines being switched off without warning, have caught the attention of carmakers. The techniques used to hack the vehicles' controls are sophisticated, and many require physical access to the engine, so for the moment this is unlikely to happen to your car. But technology moves fast: at an event in Singapore earlier this year two researchers showed off a car-hacking tool the size of a smartphone that cost less than $25 to build.

Some medical devices, including several types of insulin pump, have also been hacked in public demonstrations. Jay Radcliffe, a security researcher who happens to be diabetic, made headlines a few years ago when he discovered that his computerized insulin pump could be attacked by remotely entering the wireless-communications system that controlled it. A malicious hacker could have changed the amount of insulin being administered. In a recent blog post, Mr. Radcliffe gave warning that emerging medical technology is often ill-equipped to deal with threats arising in an interconnected world.

Other researchers agree. "There are just super simple flaws in some medical devices," says Billy Rios of Qualys, a cyber-security firm. Last year he and a colleague found "back doors" into various bits of medical equipment. These are passwords used by technicians from firms that sell the devices to update the software that runs them. A hacker with a back door could use it to, say, adjust an X-ray machine so that it administers a far higher dosage than its display shows. Mr. Rios took his findings to regulators and worked with them and with the companies involved to fix the flaws.

It all sounds rather worrying, but so far there has been no known case of a cyber-attack in which a car has been forced off the road or a medical device misappropriated. Mr. Rios accepts that some people think his research is designed to drum up sales for the cyber-security industry, but he insists that the risks are real.

Many items, including mundane things like light bulbs and door locks, are being hooked up to the internet by putting tiny computers into them and adding wireless connectivity. The problem is that these computers do not have enough processing power to handle antivirus and other defenses found on a PC. The margins on them are wafer-thin, so manufacturers have little scope for spending on security. And the systems are being produced in vast quantities, so hackers finding a flaw in one will be able to get into many others too.

This is already happening with some home wireless routers. Earlier this year Team Cymru, an American cyber-security firm, found a network of 300,000 compromised routers in various countries, including America, India, Italy and Vietnam. In 2012 crooks in Brazil took control of 4.5m routers, using the stolen information to plunder a large number of bank accounts.

A lot more devices with little computers inside them will end up in people's homes, often connected to one another via home-automation systems. That will make them tempting targets for cyber-attackers. In January Proofpoint, a security firm, claimed it had found evidence that a group of compromised devices, including home routers, televisions and a refrigerator, had been commandeered by hackers and were being used to pump out spam. That is annoying enough, but what if a tech-savvy arsonist were to find a way of, say, taking control of home boilers and turn them up so much that they burst into flames? Mr. Rios has already found tens of thousands of corporate heating, air-conditioning and ventilation systems online, many with vulnerabilities in their software that a hacker could exploit.

Some companies are now trying to build security into their products from the start. Broadcom, a chipmaker, recently unveiled a microchip specially designed for web-connected devices that has encryption capabilities baked into it, and Cisco has launched a competition offering prizes for the best ideas for securing the internet of things. But many firms plunging into this market are small startups which may not have much experience of cyber-security.

Corman worries that it may take a catastrophic event to get makers to focus on the need for better security in connected devices. But optimists believe that pressure from customers will be enough to force their hand.

The original headline for this article was: “Home, hacked home; The internet of things.”